A review of Washington State’s health insurance exchange conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed a number of website and database security issues that have placed personally identifiable information (PII) at risk of exposure.

OIG conducted its review to determine whether the Washington health insurance marketplace had implemented appropriate controls to ensure PII was protected in line with Federal requirements, including those detailed in the Centers for Medicare & Medicaid Services’ (CMS) Minimum Acceptable Risk Standards for Exchanges.

OIG assessed the Washington marketplace’s policies and procedures, and evaluated the security controls that had been implemented to protect the website and database. The marketplace’s internal controls were outside the scope of the review.

While a number of security controls had been implemented, OIG found that the Washington marketplace had not always complied with federal requirements. OIG auditors discovered that a vulnerability scan had not been performed, and the website and database had not been appropriately secured.

As a result, vulnerabilities existed which could potentially have been exploited by malicious actors. Some of the vulnerabilities were serious and could have resulted in the confidentiality and integrity of data being compromised. However, OIG auditors did not find any evidence to suggest that any of the security vulnerabilities had actually been exploited.

The marketplace’s Plan of Action and Milestones had also fallen short of the minimum requirements of the Centers for Medicare & Medicaid Services.

OIG noted in its report, that “without proper safeguards, systems were not protected from individuals and groups with malicious intent to obtain access in order to commit fraud, waste, or abuse or launch attacks against other computer systems and networks.”

OIG issued a number of detailed recommendations to address the security failures and increase protections. The marketplace agreed with OIG recommendations and has taken action to address the security vulnerabilities, and has corrected issues with its policies and procedures.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.